While there is nothing surprising these days about finding a website that contains malicious code, it is educational to investigate them in order to determine how the bad guys are using the web to scam people and make money. A recent white paper by Sophos documents the increased use of javascript by attackers in their attempts to install malware on victim machines. Recently I came across a site with some malicious javascript that caught my attention. In this article I will detail how the javascript works in its attempt to download and install malware on unsuspecting visitors’ machines.

The site in question is hxxp://www.dompimps.com. Do not attempt to access this site unless you know how to protect your machine or else you may find yourself dealing with a nasty infection (and this one won’t be treatable with antibiotics). I attempted to notify the owners of the site to alert them to the malicious javascript, but I have not received any response. It is impossible to know if this malicious code was installed by the site owners themselves or if it was injected by a hacker who took advantage of a vulnerability in the site. In either case, the result is the same for visitors to this site.

The screen shot below shows the malicious javascript that exists on this site.

Interestingly, no attempt is made to obfuscate this code which frequently is the case with malicious javascript in order to make detection more difficult. The result when someone visits hxxp://www.dompimps.com is that the javascript will be executed by the browser which will then load hxxp://onlineisdudescars.com/js.php. This site has an IP address of 91.193.194.110 and appears to be registered in Latvia. And this is where things get interesting. I submitted this URL to Anubis for analysis and used the provided network trace to determine exactly what this PHP script does. The below screen shot shows the pertinent part of this PHP script and how it attempts to install its malware.

As can be seen, the js.php script makes a call to hxxp://www3.netsurfingprotectionuc.rr.nu/?9247dcba5c=m%2Bzgl2uglqasm%2BLPzaualubj4KKbpZ%2Bk0KWbYKWklJI%3D” which has an IP address of 67.208.74.71 and appears to be registered in Virginia. This site actually serves up the scareware that attempts to install rogue anti-virus software and infect your machine. It is particularly persistent and requires you to kill your browser via task manager in order to get away from the site.

Since I started working on this article last week, the js.php script on hxxp://onlineisdudescars.com has been updated and now refers to hxxp://www4.lawcps-safe.rr.nu/?944184a698=m%2BzgmGuekqmcluOW156Zi6Lm3mvUpnJpaGFvZpFrmlw%3D rather than hxxp://www3.netsurfingprotectionuc.rr.nu/?9247dcba5c=m%2Bzgl2uglqasm%2BLPzaualubj4KKbpZ%2Bk0KWbYKWklJI%3D. Hackers frequently change the source of their malware distribution points to make detection more difficult and help prevent their sites from being exposed and possibly taken offline.

The process described in this article is very typical of how hackers use javascript to install malware on unsuspecting users browsing the web. There are often two or three hosts involved with the first one being used to distribute the javascript that has either been placed on a web server without the knowledge of the owners (e.g. via SQL injection) or on purpose by the site owners. The javascript will redirect to another site that either actually attempts to install the malware or possibly uses redirection to yet another site that will actually host the malware. By using this series of redirections and changing the intermediate hosts/URLs occasionally, it is much more difficult to track down the people behind the scam. Understanding how the bad guys use web technology to conduct their attacks can help all of us defend our networks from them.

One Response to “Profiling the Use of Javascript in a Driveby Download Attack”